How 1 Microsoft Policy Threatens the World’s Cyber Security

A growing problem.

The fragility of cyber security has been in the spotlight recently with 145 million accounts compromised at eBay as well as revelation of the Heartbleed bug, a major vulnerability in encryption that potentially exposed nearly every website’s passwords. As of result of this, hundreds of millions of people around the world were told they should change their passwords for every site they use. Many may be finding out for the first time Microsoft’s password policy that threatens the world’s cyber security. Read on to find out more.

Microsoft’s Policy

In articles on cyber security and passwords, I have always written, “Use long, complex, passwords. By that, I mean at least 16 characters with numbers, symbols, uppercase letters, and lowercase letters.” Sixteen is my prescribed bare minimum.

Microsoft’s password policy however limits passwords to 16 characters max.

Microsoft’s policy is in stark contrast to Google which allows 200 character passwords, while Apple and Yahoo! top out at 32 characters. Facebook and Twitter appear to have unlimited password lengths but I could not confirm that.

The difference between an 8 character, 12 character, 16 character, or 32 character password is staggering. Assuming 94 possible characters, the number of combinations for each are below.

While the time it would take to brute force break a 16 character password is long, and 32 characters basically impossible, this process is now far from random. With multiple leaks through the past few years, particularly Adobe’s 130 million password release in 2013, Linkedin’s 6.5 million password, and RockYou’s 32 million password release in 2010, password breakers can first run these old lists against account management systems. Using lists like these an expert last year was given 16,400 encrypted passwords and was able to crack 90% of in less than a day.

Nine simple tips to boost your cybersecurity
It’s better to be safe than sorry. Here are some tips to boost your personal cyber security:

1. Use long passwords. By that, I mean at least 16 characters. While Microsoft limits you to 16 characters, there are simple ways to create and remember longer passwords for sites that allow you to use more than 16 characters.

2. Use two-step authentication wherever possible.

3. Don’t reuse the same password across multiple websites.

4. Choose obscure or incorrect answers to your password retrieval questions.

5. Use antivirus software and set it to update automatically.

6. Set all software you use to update automatically.

7. Use BillGuard to monitor your credit card. BillGuard is a free monitor for your credit and debit cards (they use the crowdsourced data to create the most advanced fraud monitoring system, which they sell to credit card companies).

8. If you receive a suspicious email, do not open it. Further, especially do not open it if it has attachments.

9. If you receive a suspicious email from someone you know, especially if it has attachments or links that seem suspicious, call (do not email) the person to confirm he or she sent it.

Microsoft’s View
When this issue was first brought to the attention of the public nearly two years ago, a Microsoft representative responded to ArsTechnica, “while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords.” Microsoft Research actually did a comprehensive study of people’s password habits in 2007. The company found that people have on average 25 online accounts but just 6.5 passwords. While it is true for the majority that password reuse is a big problem, Microsoft is using this as an excuse to weaken internet security for everyone.

A Growing Problem

With the launch of Windows 8 Microsoft simplified most of its products to use one sign on, the Microsoft account system. Now you only use one password across Windows, Hotmail, SkyDrive, Xbox, and others. Microsoft Account group program manager Eric Doerr blogged in July 2012 that “On the specifics… Password length — We are working on increasing this. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it’s a bigger change than it should be and takes longer to get to market.” The Microsoft Outlook.com team repeated that eight months ago on an AMA on Reddit.

It’s now been almost 2 years since this issue was brought up and it is still not fixed. Particularly with Windows 8 defaulting users to Microsoft accounts and presumably all future Windows operating systems doing the same, the problem of weak passwords on an important system will only grow as old versions of Windows are phased out. Microsoft needs to get its act together before this problem gets any worse.